mirror of
https://github.com/WordPress/WordPress.git
synced 2024-12-22 17:18:32 +01:00
Check for the existence of a post before calling current_user_can() with a meta cap on that object. fixes #20336.
git-svn-id: http://svn.automattic.com/wordpress/trunk@20637 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
ae772d3850
commit
ede4e67046
@ -831,6 +831,8 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||||||
$update = ! empty( $post_data['ID'] );
|
$update = ! empty( $post_data['ID'] );
|
||||||
|
|
||||||
if ( $update ) {
|
if ( $update ) {
|
||||||
|
if ( ! get_post( $post_data['ID'] ) )
|
||||||
|
return new IXR_Error( 401, __( 'Invalid post ID.' ) );
|
||||||
if ( ! current_user_can( $post_type->cap->edit_post, $post_data['ID'] ) )
|
if ( ! current_user_can( $post_type->cap->edit_post, $post_data['ID'] ) )
|
||||||
return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) );
|
return new IXR_Error( 401, __( 'Sorry, you are not allowed to edit this post.' ) );
|
||||||
if ( $post_data['post_type'] != get_post_type( $post_data['ID'] ) )
|
if ( $post_data['post_type'] != get_post_type( $post_data['ID'] ) )
|
||||||
@ -1814,14 +1816,15 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||||||
return $this->error;
|
return $this->error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$page = get_page($page_id);
|
||||||
|
if ( ! $page )
|
||||||
|
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
|
||||||
|
|
||||||
if ( !current_user_can( 'edit_page', $page_id ) )
|
if ( !current_user_can( 'edit_page', $page_id ) )
|
||||||
return new IXR_Error( 401, __( 'Sorry, you cannot edit this page.' ) );
|
return new IXR_Error( 401, __( 'Sorry, you cannot edit this page.' ) );
|
||||||
|
|
||||||
do_action('xmlrpc_call', 'wp.getPage');
|
do_action('xmlrpc_call', 'wp.getPage');
|
||||||
|
|
||||||
// Lookup page info.
|
|
||||||
$page = get_page($page_id);
|
|
||||||
|
|
||||||
// If we found the page then format the data.
|
// If we found the page then format the data.
|
||||||
if ( $page->ID && ($page->post_type == 'page') ) {
|
if ( $page->ID && ($page->post_type == 'page') ) {
|
||||||
// Get all of the page content and link.
|
// Get all of the page content and link.
|
||||||
@ -3268,13 +3271,15 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||||||
if ( !$user = $this->login($username, $password) )
|
if ( !$user = $this->login($username, $password) )
|
||||||
return $this->error;
|
return $this->error;
|
||||||
|
|
||||||
|
$post_data = wp_get_single_post($post_ID, ARRAY_A);
|
||||||
|
if ( ! $post_data )
|
||||||
|
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
|
||||||
|
|
||||||
if ( !current_user_can( 'edit_post', $post_ID ) )
|
if ( !current_user_can( 'edit_post', $post_ID ) )
|
||||||
return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
|
return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
|
||||||
|
|
||||||
do_action('xmlrpc_call', 'blogger.getPost');
|
do_action('xmlrpc_call', 'blogger.getPost');
|
||||||
|
|
||||||
$post_data = wp_get_single_post($post_ID, ARRAY_A);
|
|
||||||
|
|
||||||
$categories = implode(',', wp_get_post_categories($post_ID));
|
$categories = implode(',', wp_get_post_categories($post_ID));
|
||||||
|
|
||||||
$content = '<title>'.stripslashes($post_data['post_title']).'</title>';
|
$content = '<title>'.stripslashes($post_data['post_title']).'</title>';
|
||||||
@ -4218,13 +4223,15 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||||||
if ( !$user = $this->login($username, $password) )
|
if ( !$user = $this->login($username, $password) )
|
||||||
return $this->error;
|
return $this->error;
|
||||||
|
|
||||||
|
$postdata = wp_get_single_post($post_ID, ARRAY_A);
|
||||||
|
if ( ! $postdata )
|
||||||
|
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
|
||||||
|
|
||||||
if ( !current_user_can( 'edit_post', $post_ID ) )
|
if ( !current_user_can( 'edit_post', $post_ID ) )
|
||||||
return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
|
return new IXR_Error( 401, __( 'Sorry, you cannot edit this post.' ) );
|
||||||
|
|
||||||
do_action('xmlrpc_call', 'metaWeblog.getPost');
|
do_action('xmlrpc_call', 'metaWeblog.getPost');
|
||||||
|
|
||||||
$postdata = wp_get_single_post($post_ID, ARRAY_A);
|
|
||||||
|
|
||||||
if ($postdata['post_date'] != '') {
|
if ($postdata['post_date'] != '') {
|
||||||
$post_date = $this->_convert_date( $postdata['post_date'] );
|
$post_date = $this->_convert_date( $postdata['post_date'] );
|
||||||
$post_date_gmt = $this->_convert_date_gmt( $postdata['post_date_gmt'], $postdata['post_date'] );
|
$post_date_gmt = $this->_convert_date_gmt( $postdata['post_date_gmt'], $postdata['post_date'] );
|
||||||
@ -4686,6 +4693,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||||||
if ( !$user = $this->login($username, $password) )
|
if ( !$user = $this->login($username, $password) )
|
||||||
return $this->error;
|
return $this->error;
|
||||||
|
|
||||||
|
if ( ! get_post( $post_ID ) )
|
||||||
|
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
|
||||||
|
|
||||||
if ( !current_user_can( 'edit_post', $post_ID ) )
|
if ( !current_user_can( 'edit_post', $post_ID ) )
|
||||||
return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
|
return new IXR_Error( 401, __( 'Sorry, you can not edit this post.' ) );
|
||||||
|
|
||||||
@ -4729,6 +4739,9 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||||||
|
|
||||||
do_action('xmlrpc_call', 'mt.setPostCategories');
|
do_action('xmlrpc_call', 'mt.setPostCategories');
|
||||||
|
|
||||||
|
if ( ! get_post( $post_ID ) )
|
||||||
|
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
|
||||||
|
|
||||||
if ( !current_user_can('edit_post', $post_ID) )
|
if ( !current_user_can('edit_post', $post_ID) )
|
||||||
return new IXR_Error(401, __('Sorry, you cannot edit this post.'));
|
return new IXR_Error(401, __('Sorry, you cannot edit this post.'));
|
||||||
|
|
||||||
@ -4836,11 +4849,13 @@ class wp_xmlrpc_server extends IXR_Server {
|
|||||||
|
|
||||||
do_action('xmlrpc_call', 'mt.publishPost');
|
do_action('xmlrpc_call', 'mt.publishPost');
|
||||||
|
|
||||||
|
$postdata = wp_get_single_post($post_ID, ARRAY_A);
|
||||||
|
if ( ! $postdata )
|
||||||
|
return new IXR_Error( 404, __( 'Invalid post ID.' ) );
|
||||||
|
|
||||||
if ( !current_user_can('publish_posts') || !current_user_can('edit_post', $post_ID) )
|
if ( !current_user_can('publish_posts') || !current_user_can('edit_post', $post_ID) )
|
||||||
return new IXR_Error(401, __('Sorry, you cannot publish this post.'));
|
return new IXR_Error(401, __('Sorry, you cannot publish this post.'));
|
||||||
|
|
||||||
$postdata = wp_get_single_post($post_ID,ARRAY_A);
|
|
||||||
|
|
||||||
$postdata['post_status'] = 'publish';
|
$postdata['post_status'] = 'publish';
|
||||||
|
|
||||||
// retain old cats
|
// retain old cats
|
||||||
|
Loading…
Reference in New Issue
Block a user